tags6 Music Article Asian Network banking BBC BBC Trust business censorship Christianity Cif belief civil partnership clickjacking Comment Comment is free Companies House David Sylvian Digital media dissolution divorce food health gay Gay rights HPKP HSTS HTML5 iframes James Robinson law lesbian London Manafon Mark Saunders misery Music Pinterest Police radio Radio 4 Radio industry Religion security Sophia Deboick streaming Telegraph UK news
world community grid
Back in September last year, there was a disturbing story that the sexual health clinic in Soho, 56 Dean Street, had accidentally sent 800 emails to the wrong people. Now, this would be bad enough if it were a chiropody clinic, but for some people, even the hint that they might have been naughty in the bedroom with someone else can be damaging in itself.
But these things happen. The Government lost a CD with the entire nation’s child benefit records and the Philippines has just had the privacy of every single voter compromised.
So I went to get an appointment for my once-in-a-while HIV test and check-up. Hurray! You can book an appointment online!
Boo! They have let their SSL certificate expire on Friday, 11 March 2016. This gives a nasty error in all modern browsers and would likely scare off most right-thinking people from progressing further.
I messaged the Chief Information Officer for the Chelsea & Westminster NHS Trust via LinkedIn. He’s not got back to me. I emailed the web team at Chelsea & Westminster, and tweeted 56 Dean St, but no-one’s gotten back to me via those channels either.
As it turns out, when you click through the dire security warnings, you can’t book online anyway!
It has to be said, the staff at 56 Dean Street are super-awesome. I’ve used them before, and taken friends too. Everyone should know that if they need reassurance from an HIV test, Post Exposure Prophylaxis, the morning after pill or anything else to do with sexual health, they are an invaluable resource. And they’re very gentle when poking a swab up your bum, for which we can all be thankful.
My interest was piqued by Ars Technica’s story that Gogo’s in-flight wifi services block some VPNs, and the thrust of the story is that you shouldn’t do sensitive work on a plane using their service.
Previously, Google engineers had noticed Gogo impersonating their secure sites by issuing lookie likie security certificates.
So Gogo are compromising your security – and sometimes crippling your ability to mitigate against those risks by using a VPN. Of course, Gogo have been called out for doing this publically, but any wifi provider in a coffee shop, train station or airport lounge could do exactly the same thing.
To help mitigate such risks, browser builders have employed technologies such as HTTP Public Key Pinning. When you visit a site, they can send you a copy of the public part of the cryptographic key and tell your browser to only trust the site when it sees that specific key. If you have that site’s public key “pinned”, should a naughty wifi network try to impersonate a site and send the wrong public key, then your browser will recognise this and refuse to connect. And the naughty wifi network people don’t get to access your private data.
You would think that of all the sites who need to use such technologies to protect their users, the banks would be pretty high up the list. Today I performed a quick test of 10 of the largest UK retail banks so see what their approach to browser security is. (Full disclosure: I’m an interested amateur rather than a proper certified security expert in these matters).
Shockingly, the protection offered by Public Key Pinning is NOT USED by any of these banks, so you’re not protected against impersonations when using a public wifi network.
8 out of 10 don’t use the website directive to only connect over HTTPS, HTTP Strict Transport Security.
NONE of the 10 banks’ main sites enforce SSL connections, meaning that the connection between you and their inscure main page can be intercepted and altered. This means that a malicious network operator can change the destination of that “secure” Login button. (Would you notice if the button pointed to https://onlinebanking.haIifax.co.uk?)
Unbelievably, two of the worst offenders actively block HTTPS connections to their main retail site.
A long time ago, running your website over HTTPS was expensive and technically tricky, so you could be forgiven for thinking that you only needed to use a secure site for the most sensitive parts of your business. Now, website security is cheap and ubiquitous, so I do not understand how UK retail banks can fail to use the tools at their disposal.
I typed in the bank’s domain name into a web browser URL bar to see if the site redirected to an SSL version of the site, ensuring that all connections to the site were secure – not just some of them.
I used Qualys SSL Labs to get a security grade for each bank’s main website and then the web domain used by the retail online baning application, where different.
I also used Scott Helme’s excellent SecurityHeaders.io tool to see what security related headers were being returned by the sites, especially HTTP Strict Transport Security and HTTP Public Key Pinning.
One of the most visited posts on this site is my list of the direct stream URLs for BBC Radio services. Since it was posted, the BBC have revamped their streaming infrastructure, and most internet radio services can only access the Long Wave version of Radio 4. This is hugely annoying, as it includes guff like The Daily Service.
Thanks to the BBC HTML 5 Beta, we seem to have a working .m3u8 for Radio 4 FM. For your delectation (terms & conditions apply, the value of your internet radio device may go down as well as up: BBC Radio 4 FM .m3u8